id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
16449	incorrect referer check in check_admin_referer()	indie-ulf	markjaquith	"The check_admin_referer() function is defined this way:

""Tests if the current request was referred from an admin page, or (given $action parameter) if the current request carries a valid nonce. Used to avoid security exploits.""

The older, less secure form with no parameter (""check_admin_referer()"") still works, it's not documented as deprecated anywhere, and at least one plugin with more than 190,000 downloads uses it.

The problem is that it's not secure. An attacker can fool it easily like this:

1) Put up pages ""one.html"" and ""two.html"" on evilsite.com, where ""one.html"" includes ""two.html"" in an iframe, and ""two.html"" performs a CSRF attack against the admin part of a plugin in Victim's WP install.

2) ""one.html"" should include Victim's WP admin URL in the query string for the URL given for ""two.html"" in the iframe ( http://evilsite.com/two.html?foobar=http://victim.vi/wp-admin/ ). ''The Referer check in check_admin_referer() erroneously uses strpos() !== false, so it will be fooled by a Referer that looks like this.''

3) Entice a logged-in administrator to visit  http://evilsite.com/one.html .

I have attached a patch that should correct this issue by changing the strpos() call. I hope it won't break anything..

Ulf Harnhammar
"	defect (bug)	closed	normal	3.1	Security	3.0.4	normal	fixed	has-patch needs-testing